Constructive interval temporal logic in Alf - University of Kent

Download PDF
1 downloads 0 Views 137KB Size Report
Comment
Abstract. This paper gives an implementation of an interval temporal logic in a constructive type theory, using the Alf proof system. After explaining theĀ ...
Constructive interval temporal logic in Alf Simon Thompson Computing Laboratory University of Kent at Canterbury [email protected]

Abstract. This paper gives an implementation of an interval temporal logic in a constructive type theory, using the Alf proof system. After explaining the constructive approach, its relevance to interval temporal logic and potential applications of our work, we explain the fundamentals of the Alf system. We then present the implementation of the logic and give a number of examples of its use. We conclude by exploring how the work can be extended in the future.

1 Introduction The traditional approach to executing temporal logics is to execute the formulas of the logic; this is in accord with the logic programming paradigm. The implementation can be deterministic for particular subclasses of formulas, as in the approach taken by Moszkowski and others [8, 6, 4]. On the other hand, all the formulas of a logic can be executed using a backtracking mechanism; this is shown by Gabbay's normal form result in [5] and is implemented in the various MetateM systems [1] amongst others. There is another paradigm for implementing logics, based on a constructive philosophy [7, 11]. Instead of formulas being seen as true or false on the basis of truth tables or model theory, a constructive approach takes proof as the means of exhibiting validity; as a slogan, one might say that constructive logic is `proof functional' rather than `truth functional'. A constructive proof of a proposition contains more information than a classical version, so that from a proof we can derive all the evidence for the proposition being valid. For instance, a proof of an existential statement will contain a witness which is an object for which the statement holds. Under the constructive approach, then, we execute not the formulas of the logic but their proofs, which we can see from the discussion above contain suf cient witnessing information to be executable. Further details of the basics of constructive logics, and their interpretation as programming languages can be found in Section 2. The system in which we make our implementation is Alf, which comes from the programming logics group at Chalmers University of Technology in Goteborg, Sweden. We give a short introduction to Alf in Section 3. The logic we look at here is an interval temporal logic, which describes nite intervals. Because of this, besides containing the familiar temporal operators 2,

3 and so on, interval temporal logics also contain predicates which can only apply to nite intervals, such as those which measure length or which compose two propositions in sequence (or `chop'). Introductions to the logic are to be found in [8, 4, 2] and we refer readers there for further details. One distinctive aspect of our logic is that it involves atomic actions which happen at the instants of an interval. The approach we examine here can equally well be used to give a constructive account of an in nitary linear (or branching time) logic. Details of an implementation in the Coq system are to be found elsewhere [10]. We see three strengths of the work reported here. { We provide a single system in which we can model both speci cations and their implementations. Speci cations can be related by logical inference, and are shown to be consistent by exhibiting an implementation; inconsistent speci cations will simply have no implementation. { We maintain two levels of abstraction in our system. In speci cations we can use operators such as 3 and `chop' which can be realised in many ways; we can think of them as non-deterministic. In our implementations or proofs we have determinism. For example, a constructive proof of a formula 3P will show not only that P holds at some point in the future but also will state at precisely which point in the future P holds. This distinction is entirely appropriate to the modelling applications of interval temporal logics. { An implementation of a logic such as this forces an implementer to check the coherence of his or her de nition of the logic. In our work here we see a distinction between the notions of interval and interval proposition which in an informal account may be elided. We also have to maintain a distinction between an action A, say, and the proposition that `A happens (now)'. In our related work on linear-time temporal logics, [10], the issue of whether the logic is anchored or not has to be addressed at an early stage in writing the implementation. I am grateful to Erik Poll both for supplying an implementation of basic logic for modi cation and for making a number of useful comments on drafts of the paper. I would also like to thank Howard Bowman, Helen Cameron and Peter King for their collaboration in the Mexitl [2] work. It was this which stimulated the investigation reported here.

2 Constructive logic What counts as a constructive proof of a formula? An informal explanation is given in Figure 1. That this gives the logic a distinctive character should not be in question; while truth functionally one would accept A _ :A for any A, it is by no means clear that for an arbitrary formula one can nd either a proof of A or a proof that A is contradictory. On the other hand we can see that proofs are much more informative than in the classical case. A proof of a disjunction must be a proof

A^B A_B A!B

A proof of A ^ B consists of a proof of A and a proof of B . A proof of A _ B consists either of a proof of A or of a proof of B . A proof of A ! B is a method (or function) taking proofs of A into proofs of B . (9x 2 A)B (x) A proof of (9x 2 A)B (x) consists of an element a of A together with a proof of B (a). (8x 2 A)B (x) A proof of (8x 2 A)B (x), which we also write (x 2 A) ! B , consists of a function taking x in A to a proof of B (x).

Fig. 1. Proof in constructive logic

of one of the disjuncts, and a proof of an existential statement must provide a witness which is a point where the statement holds, together with a proof that it does indeed hold at that point. How does a constructive implementation work? We take the formulas of a logic as speci cations of behaviour; it is then the proofs of these formulas that are implemented. Underlying this is an important correspondence, attributed to Curry and Howard and illustrated in Figure 2, which identi es a constructive logic and a (functional) programming language.

Constructive Logic

Programming Language

Formula Type Proof Value Conjunction ^ Product or record type Disjunction _ Sum or union type Implication ! Function space Existential quanti cation 9 `Dependent' record type Universal quanti cation 8 `Dependent' function type

Fig. 2. The Curry-Howard correspondence

Under the Curry-Howard correspondence the formulas of a logic are seen as the types of an expressive type system which includes not only record, union and function types but also dependent function types (x 2 A) ! B in which B can depend upon x, so that the type of a function application can depend upon the value to which the function is applied. These types correspond

to universally quanti ed formulas, while a dependent record type represents an existentially quanti ed statement | we shall see this in Section 3.1. Given this explanation we can now see how our implementation is built. The formulas of our interval logic become the types of functions which implement the speci cations that the formulas embody.

3 Introducing Alf The logic used here is a standard formulation of a constructive logic in Alf. As we explained in Section 2 we can view Alf as a functional programming language with a strong type system. It is for this reason that we chose to use Alf here rather than, say, Coq; in Coq the proof terms are implicit rather than explicit, and we wanted to emphasise these functions in our account. We explain the basics of the system by means of a sequence of examples

3.1 Basic constructive logic in Alf Built into the system is the type

Set 2 Type

which is the type of sets or alternatively the type of propositions. Types are de ned in Alf by inductive de nitions, these are a strengthening of the algebraic data types of standard functional languages such as Haskell [9]. We rst de ne a trivially true proposition True by giving it a single element, trivial. Constructors of types are given in boldface; here we see that trivial is a constant, that is a 0-ary constructor.  True 2 Set = data ftrivial ( )g Thinking set theoretically, True is a one element set. A False proposition is a proposition with no proof, or an empty type, which has no constructors:  False 2 Set = data < > The angled brackets here indicate that the type has no constructors, and so is indeed empty. Next, we have a de nition of conjunction: 2 And(P; Q 2 Set) 2Set  4 P = data conj pq 22 Q

This de nition of a data type states that to construct an element of And P Q it is necessary to use the single constructor conj. This requires two arguments to construct an element of the conjunction, namely elements p of P and q of Q.

In other words, it is necessary to supply proofs of both conjuncts to give a proof of the conjunction. We also have a de nition of a constructive disjunction 2 Or(P; Q 2Set) 2 Set  4 (p 2 P) = data inl inr (q 2 Q)

To supply an element of Or P Q we need either to give an element p of P, making inl p 2 (Or P Q), or to give an element q of Q, so that inr q 2 (Or P Q). This is evidently a constructive disjunction, since a proof of Or P Q is a proof of one of the disjuncts; the rst disjunct if it is of the form inl p and the second disjunct otherwise. As we implied earlier, this explanation is quite di erent from a classical interpretation, and so the law of the excluded middle, (Or A (Not A)) is not valid in general. The existential quanti er is also constructive: 2 Exists(A 2 Set; P 2 (x 2 A)! Set) 2 Set 4 witness 2 A = sig proof 2 P witness We can think of this type as giving a signature; the elements of the type are structures taking the form   = ::: struct witness proof = : : : thus containing a witness of the point at which the predicate P holds together with a proof that the predicate holds at the witness, that is an element of P witness. Note that we use a dependent type here: the type of the second element: P witness depends on the rst element, witness. The syntax of Alf allows quanti ers to be written in a more readable form, with Exists x 2 A : ::::x:::: replacing Exists A ( x ! ::::x::::) where we use ::::x:::: for an expression involving x. We use this form in the remainder of the paper.

3.2 Data types The natural numbers are given by the declaration 2 Nat 2 Set  4 = data 0S ((n) 2 Nat)

and the constants zero, one, two and so on have the obvious meaning.

In our implementation of interval temporal logic we represent intervals by non-empty lists of propositions. In order to do this we have to de ne a type constructor for non-empty lists, and this constructor needs to be of the appropriate kind: since it is used to build lists of Set it needs to take a Type to a Type. The constructor is called list, and takes a Type argument, making it polymorphic: 2 list 2 (T 2 Type)8! Type 9 66 = < sing (x 2 T)  4 =  T ! data x 2 T : cons xs 2 list T ;

Because the lists are non-empty, they all have a rst and a last element. Here we use the case construction which gives case analysis (and indeed primitive recursion) over a data type, by means of pattern matching. 2 first 2 (T 2 Type; b 2list T ) ! T  4 x ! x =  T b ! case b of sing cons x xs ! x An arbitrary element of the type list T will either have the form sing x or cons x xs; the case construct requires us to give the value of first in both these cases. We can use the variables in the particular pattern in the corresponding part of the de nition. 2 last 2 (T 2 Type; b 2 list  T) ! T  4 x ! x =  T b ! case b of sing cons x xs ! last xs Although the function last takes two arguments we suppress the rst (type) argument, since it is invariably obvious from the context. The absence of one or more parameters is indicated by the superscript in last . Before we proceed, note that in this presentation of lists we take the length of a list to be the number of elements it contains minus one. In particular therefore a single element list has length zero in this formulation. The functions take and drop are used to select portions of a list. The natural number argument supplied gives an indication of the number of elements taken or dropped from the front of the list. Speci cally take n l gives a list of length n (that is comprising (n+1) elements) from the front of l, whilst drop n l removes n elements from the front of l. The e ect of this choice is that take n l and drop n l overlap by one element. 2 take 2 (T 2 Type; b 2 Nat; c 2 list T ) ! list T   9 8 66 sing x ! sing x > > > > 0 ! case c of = < cons x xs ! sing x 66 ) ( sing x ! sing x 64 =  T b c ! case b of > > > > x xs ! ; : Sn ! case c of conscons  x (take n xs)

2 drop 2 (T 2 T ype; b 2 Nat; 8 c 2 list T) ! list T 9 66